CIA Employees First Victims of The U.S. OPM Hack

Irony came back to the shores of the United States in the month of September as the CIA was forced to recall a number of undercover agents working in China. The agents’ names and identities were part of the millions of records exposed by the hack of the U.S. Office of Personnel Management earlier in 2015.

The OPM hack was called, “the gift that keeps on giving for years” by the Director of National Intelligences, James Clapper.

A subsequent audit of the OPM’s security practices and posture demonstrated that the infrastructure was in shambles, lacking logging and monitoring, systems updates and patches, with some systems not having been reviewed in several years. Also, some of the most critical databases and back-end systems lacked multi-factor authentication and many of them were not even authorized to be on the network!

The breach affected tens of millions of past and current government employees, exposing medical history and background investigations forms and details about the individuals, including CIA agents and embassy staffers.

As CIA agents do not usually show up on diplomatic manifests and lists of staffers, Chinese intelligence could deduce that missing names would be strong indicators of CIA operatives or other secret activities performed by the individuals in question.

According to the Washington Post, Clapper told a congressional panel that the OPM breach was not so much an attack as a form of espionage, and that both nations engage in this behavior. What happened in OPM case, “as egregious as it was,” Clapper said, was not an attack: “Rather, it would be a form of theft or espionage.”

Clapper said that the OPM hack “has very serious implications . . . from the standpoint of the intelligence community and the potential for identifying people” who may be undercover.